If this is your first visit, be sure to
check out the Forum Rules by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

The Malicious User is placed in the data VLAN, VLAN 10 for example. The phone is placed in the voice VLAN, VLAN 20 for example. We already know that via VLAN hopping we can jump into the voice VLAN, create a dot1q interface in BT4 and ARP poison phone conversations.
However just say there is a third VLAN, VLAN 30 for example which is a management VLAN. ACL's block vlan access from VLAN 10 to VLAN 30, but allow from VLAN 20 to VLAN 30.
So when we VLAN hop into VLAN 20, we can access the management VLAN. Cool.

My goal and point of the lab is to ARP poison traffic on VLAN 30 so I can capture management traffic.

So heres my two questions.

- Because VLAN 30 is a remote network, I cant ARP poison it. I have read mixed reports about remote ARP poisoning, however the closest I have ever come is to ARP poison the gateway on VLAN 20, and hope that I can capture VLAN20->VLAN30 information, which is NOT what I want, and will only result in a one sided poison, half duplex if you will. Is there such thing as remote network ARP poisoning?
- If I cannot remote network ARP poison, can I double VLAN hop (triple VLAN tagging) into VLAN 30? If this is possible I could then ARP poison directly on VLAN 30.
- - Two issues with this, firstly everywhere I've read states that triple tagging is possible and I can understand how technically it could be, but I have yet to see a working example.
- - Secondly, from the vague information about Voice VLAN assignments (VVID), the switchport voice vlan 20 command acts like: switchport trunk allowed vlan 20. I am unsure whether tripple tagging would work over a VVID *trunk*, my theory is it would just drop the packet.

The major problem I'm hitting with triple tagging is custom packet generation. Can anyone suggest a way to build my own packet with additional VLAN headers?

First of all ARP is not a routed protocol, it is used only internally and does not usually traverse networks This is not strictly true, it can traverse via a network bridge but as it is a broadcast protocol is does not typically go anywhere any other broadcast wouldn't.

The "secret" is the subnet mask..... Yeah, that nasty complicated thing they make you study.... They never really tell you what it's for I'll let the dog out of the bag.

The subnet mask really is only used for one thing (not really)... Determining whether the IP address of the machine to be contacted is "local". It may be through routers still but it could still be considered local depending upon the router's configuration and the subnet mask. If the destination IP address doesn't fit in the subnet mask then the returned packet is sent to the default gateway, if it fits the subnet mask and the _local_ ARP table doesn't hold the required information, (the MAC address), then an ARP request is sent out to get the MAC address of the machine.

Thus, it is either impossible or _really really_ difficult, (depends on the security level of the network as a whole), to ARP poison a remote network, (you have to have a network that is relatively "local" and wide open to broadcasts of ARP to be able to accomplish it!